Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP

1

Exactly the Same, but Different

Shayne Champion, CISSP, CISA, GSEC, ABCP

Program ManagerGO Cyber SecurityTVA

v 1.0

2

Agenda

� Define Mobile Device Security

o Similarities

o Differences

� Things you Should be Doing

3

Mobile Device Security

“There is no question that mobile security will eventually equal – if not surpass – PC security as a threat to IT departments.”Denise Culver, Heavy Reading Mobile Networks Insider

4

Mobile Device vs. Computers:SIMILARITIES

5

Definitions: Level Setting

Com·put·er [kuhm-pyoo-ter] : An electronic device designed to accept data, perform prescribed mathematical and logical operations at high speed, and display the results of these operations.

Mo·bile De·vice [moh-buhl dih-vahys] :A portable, wireless computing device that is small enough to be used while held in the hand; a hand-held.

Source: http://dictionary.reference.com/browse/computer

6

7

NEWS FLASH:

MobileDevices

AREComputers!!!

Sources: http://nordhaus.econ.yale.edu/prog_030402_all.pdf http://www.anandtech.com/show/4215/apple-ipad-2-benchmarked-dualcore-cortex-a9-powervr-sgx-543mp2/2http://www.slashgear.com/ipad-2-benchmarks-blast-competition-show-less-than-1ghz-processor-speed-13139678/

…and we can do something about that, can’t we?

8

Same Kind of Different…

Same kind of security controls you *should* use anyway:� Encryption� NAC� DLP� AV / Malware� Inventory Management� Controlled Admin Privileges� Port & Service Management

9

Similarity: Order of Magnitude

Risk from an OSI perspective:

� Most risk shifting to applications

� Lower-level layers becoming relativelymore ‘tame’

Source: http://www.sans.org/top-cyber-security-risks/trends.php

10

Define: Metadata

Metadata : Data that defines or describes another piece of data.

Metadata may reveal more about you, your organization, or your devices than you realize. Many devices, such as your computer, camera, or smart phone, automatically embed metadata in any digital files they create.

Source: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdf

11

Metadata

Some examples of metadata include:� File creation date and time� The address or geographic location where the file was created� Your name, organization’s name, and computer’s name or IP address� The names of any contributors to the document or their comments� Type of camera you are using and its settings when the photo was

taken� Type of audio or video recording device you are using and its settings

when a recording was taken� Make, model, and service provider of your smart phone


12

Metadata Solutions

Metadata Tools:

� Document Inspector : http://preview.tinyurl.com/3996c2a

� EXIF Metadata Explanation: http://preview.tinyurl.com/775mbxc

� Free Metadata Extraction Tool: http://meta-extractor.sourceforge.netor http://preview.tinyurl.com/aueb4

� Disabling Geo-location for Smartphone Camerashttp://preview.tinyurl.com/3v4xznm


* ( + )=

13

Unsecured WAP – Sidejack Math

� Sidejacking - A well-known Wi-Fi hotspot attack that takes advantage of websites that don’t use SSL/TLS encryption correctly by pirating the legitimate user’s cookies and using those in the attacker’s session (session hijacking)

� Firesheep – A Mozilla Firefox plug-in that automates session hijacking attacks over unsecured Wi-Fi networks. The packet sniffer analyzes traffic between a Wi-Fi router and a person’s laptop or smartphone and captures the session cookie ("point-and-click" sidejacking)

Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012http://searchnetworking.techtarget.com/answer/Be-aware-of-Wi-Fi-security-to-deal-with-Firesheep-at-public-hotspots

14

Mobile Device vs. Computers:DIFFERENCES

15

Risk Remediation

Mobile Device risks are the same as many of the risks we already face everyday. For example…

Source: http://www.youtube.com/watch?v=I4_qg22Onak&feature=related

16

Difference 1: BYOD

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012 http://www.networkworld.com/news/2012/041712-byod-258264.html?page=3

How do you handle user-owned devices?� Applications� Data Ownership� Encryption

NetworkWorld BYOD Survey:65.3% necessary tools not in place46.2% increased end user productivity5.7% said it lead to breech, while 66.7% said no 47.2% increased end users' ability to work from home

SANS Survey:

17

Difference 2: SMS

SMS: Short Messaging Service, or text messages

Common Vulnerabilities:

1) SMS of Death2) Midnight Raid Business Card Attack3) SMS Tokens4) Smishing Attacks

Source: http://www.infosecisland.com/blogview/12656-The-SMS-of-Death-Mobile-Phone-Attack-Explained.htmlhttp://www.csoonline.com/article/491200/3-simple-steps-to-hack-a-smartphone-includes-video-

18

SANS Survey: Platform Support

Source: http://www.sans.org; SANS Mobility / BYOD Security Survey March 2012

19

SANS Survey: Platform Support


20

Each platform – even within the same OS – have unique characteristics, default settings, and/or vulnerabilities:

� PIN settings– Service Carrier– Like default passwords on

routers or admin accounts� iPhone / iPad batteries

Scope: Android Fragmentation� 281+ different products� 850,000 daily activations� 300,000,000+ total devices

Sources: http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201204_en.pdfhttp://en.wikipedia.org/wiki/Comparison_of_Android_devices

Difference 3: Hardware / Carrier

21

Hardware / Carrier: PIN Codes

Ten numbers represent 15% of all cell phone pass codes

Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/.Retrieved 8 July 2011.

http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533

22

Hardware / Carrier: PIN Codes

Ten numbers represent 15% of all cell phone pass codes:

1) 12342) 00003) 25804) 11115) 5555

Sources: Rooney, Ben (15 June 2011). "Once Again, 1234 Is Not A Good Password". The Wall Street Journal. http://blogs.wsj.com/tech-europe/2011/06/15/once-again-1234-is-not-a-good-password/. Retrieved 8 July 2011.

http://www.phonearena.com/news/Do-you-use-one-of-the-most-common-lock-PINs_id19533

6) 5683 (spells 'LOVE')7) 08528) 22229) 121210) 1998

Other popular choices include Year of birth & Year of graduation (social triangulation!).

23

PIN Code >>> Data Loss

CASE STUDY: VERIZON WIRELESS

Corporate Support Web Page

How do I access my Voice Mail to retrieve messages?� To access your Voice Mail, press "*VM" (*86), then "SEND." Follow

the prompts to enter your password and retrieve your messages. If you press "*VM" (*86) and hear your own or a system greeting, press the # key to interrupt the greeting and follow the prompts to enter your password and retrieve your messages.

Source: http://support.verizonwireless.com/clc/faqs/Features and Optional Services/faq_voice_mail.html

24

Difference 4: Caller ID / ANI

ANI : Automatic Number Identification (NAC for cell phones)

Masquerading as the target cell number, threat actors may be able to steal unsecured data. Possible vectors include:

� VXML� Social Engineering� Orange Box Spoofing

Sources: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3Fhttp://www.ncvc.org/src/AGP.Net/Components/DocumentViewer/Download.aspxnz?DocumentID=44055

25

Social Engineering: Telco

Social Hack Scenario:You pick up the phone, at the dial tone call 10102880

AT&T Automated Operator: "AT&T,�to�place�a�call…"�Enter 800-646-0000

AT&T Automated Operator: "Thank�you�for�using�AT&T"�<RING>�

Telus: This�is�the�Telus�operator,�Lisa�speaking.�(or,�This�is�the�Telus�operator,�what�number�are�you�calling�from?)�

You: Hi�Lisa,�This�is�the�Telus�technician,�you�should�see�an�ANI�failure�on�your�screen,�I'm�calling�from�[number to spoof] I�need�you�to�place�a�test�call�to�[number to call]

Telus: Thank�you�from�Telus�

Source: http://wiki.docdroppers.org/index.php?title=ANI_and_Caller_ID_Spoofing#So.2C_just_what_is_ANI.3F

26

Threat Actors

The APT in action…

Source: http://www.youtube.com/watch?v=ETMkub3NwK0

27

Application Vulnerabilities

� Native to many mobile OS (smart phone & tablet)Mobile Device Management (MDM)

� Default Permissions may be invasivee.g., Apple log file stores all visited geo-locations

� Open Web Application Security Consortium (OWASP)https://www.owasp.org/index.php/Mobile

Source: http://en.wikipedia.org/wiki/Mobile_device_management

“Application security is the next big trend in penetration testing… which means it’s already the big trend for hackers.”Joe McCray, Strategic Security LLC

28

Lessons Learned

Top 5 from the 2012 SANS Mobile Device Security Summit

1) Jailbreaking & Rooting is BAD for mobile device security

2) The OWASP Mobile Top 10 is going to be just as important

3) Mobile Threats are an evolving, moving target; security teams have to be quick to adapt to new mobile technology

4) Mobile Device Management (MDM) solutions are a requirement for any deployment

5) Apple iOS devices are preferred over Android in the enterprise

Source: http://www.infosecisland.com/blogview/20752-Top-5-Things-Learned-at-the-SANS-Mobile-Device-Security-Conference

Mike Jones, Symantec

29

Things You Should Be Doing

“For many professionals, the mobile phone has become a mobile office.”

Mike Jones, Symantec

30

Control Starts at the Policy


31

Mobile Policy Best Practices

� Think from a threat controls perspective:

o Consider capabilities of mobile devices and apps in your environment

o Identify threat vectors & mitigate

o Identify non-technically enforceable controls and address with administrative policies & awareness

� Assess how mobile devices are already managed

� Use existing policies as a guideline

� Consider how to test successful control implementation


32

2012 Top 5 Mobile Security Threats

1) Geolocation exploits2) Excessive Permissions3) Mobile Application Vulnerabilities4) Unsecure Wi-Fi5) Lost and Stolen Devices

Source: http://searchsecurity.techtarget.com/news/2240112288/Top-5-mobile-phone-security-threats-in-2012

33

Mobile Risk Management Tools


34

Protecting the Mobile Executive

Considerations for your Mobile Policy / Best Practices:

� USER EDUCATION

� Physical Security

� Leave it at Home– Clean Loaner Devices– Prepaid Cellular devices– Blank SIM cards– * + Google Voice

Source: http://threatpost.com/en_us/slideshow/How%20to%20Avoid%20Getting%20Hacked%20While%20Traveling?page=0

� Fear Public Wireless– Use Conference WAPs– Corporate VPNs

� 2G = No E!

� Don’t Blab

35

Its About the Basics

Verizon Business 2011 Data Breach Investigations Report (DBIR)

Analysis of 2011 attacks determined that:

� 83% were targets of opportunity

� 92% were not highly difficult

� 95% were avoidable through simple or intermediate controls

Source: http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf

SANS Top 20 Controls (v 3.1)

1: Inventory of Authorized and Unauthorized Devices

2: Inventory of Authorized and Unauthorized Software

3: Secure Configurations for Hardware and Software on Laptops, Workstations, & Servers

4: Continuous Vulnerability Assessment & Remediation

5: Malware Defenses

6: Application Software Security

7: Wireless Device Control

8: Data Recovery Capability

9: Security Skills Assessment and Appropriate Training to Fill Gaps36

10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

11: Limitation and Control of Network Ports, Protocols, and Services

12: Controlled Use of Administrative Privileges

13: Boundary Defense

14: Maintenance, Monitoring, and Analysis of Security Audit Logs

15: Controlled Access Based on the Need to Know

16: Account Monitoring and Control

17: Data Loss Prevention

18: Incident Response Capability

19: Secure Network Engineering

20: Penetration Tests and Red Team Exercises

37

Summary

� Mobile Devices vs. Computerso Similarities (yes Forrest, they are computers)

o Differences� SMS� Native Metadata� Hardware / Carrier Issues (PINs, etc)� Sidejacking� Application Vulnerabilities

� Things you Should be Doingo Policieso User Educationo Protect the Execso SANS Top 20 <-> Top 5 Mobile

38

Questions

39

New Mobile Security Tools

“Bleeding Edge” Mobile Security Solutions

40


Can you hear me NOW, punk?!?

41


AndroidSecurity

If you need to ask, you don’t need to know.

Really.

Source:http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto

42


Sometimes Simple Security = Great Solutions…

43


Hot from the UK: Less Mobile = Harder to Steal

44


Old School Tech

45


Keeping ahead of the Technology Curve…

Source:http://www.techrepublic.com/photos/obscure-costumes-at-emerald-city-comic-con-2012/6357085?seq=24&tag=thumbnail-view-selector;get-photo-roto

Documents

Exactly the Same, but Different - ISSA Chattanoogachattanooga.issa.org/.../01/Mobile_Device_Security_sm.pdfExactly the Same, but Different Shayne Champion, CISSP, CISA, GSEC, ABCP